Ralph Schindler wrote:
Hey Lester,
That is almost archaic it's self ...
It should be replaced with a pointer to using parameters ( no we do not
need 'prepared statements', just parameters ). One of the first things I
implement on any code that I'm porting. Does away with any agro over
escaping strings and is totally save 'injection' wise.
While I generally agree, 'just parameters' does have it's limitations. Sometimes
there are special character sequences that can be exploited to escape out of a
quoted value in a SQL string.
Offhand, this comes to mind about MySQL:
http://bugs.mysql.com/bug.php?id=8378
Well if you must use a simple database ;)
I've never used MySQL simply because it has yet to get to the same standard as
Firebird ... But I'm talking about passing parameters direct to '?' entries in
the SQL - something which if it CAN be broken then the database is also broken?
The database handles the 'data' going into a single field at a time.
--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk//
Firebird - http://www.firebirdsql.org/index.php
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
